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The process algebra HYPE was recently proposed as a fine-grained modelling approach for capturing 
the behaviour of hybrid systems. In the original proposal, each flow or influence affecting a variable 
is modelled separately and the overall behaviour of the system then emerges as the composition of 
these flows. The discrete behaviour of the system is captured by instantaneous actions which might 
be urgent, taking effect as soon as some activation condition is satisfied, or non-urgent meaning that 
they can tolerate some (unknown) delay before happening. In this paper we refine the notion of 
non-urgent actions, to make such actions governed by a probability distribution. As a consequence 
of this we now give HYPE a semantics in terms of Transition-Driven Stochastic Hybrid Automata, 
which are a subset of a general class of stochastic processes termed Piecewise Deterministic Markov 
Processes. 



1 Introduction 

Process algebras have been successfully applied to the analysis and verification of a wide variety of sys- 
tems over the last thirty years. Although initially focused on semantic issues of concurrent programming, 
their compositional style and ability to support a number of different analysis techniques has extended 
their use into many application domains. In the realm of quantified analysis stochastic process algebras, 
in which actions are associated with a randomly distributed delay, have been used to study the dynamics 
of diverse systems ranging from the performance of software systems fill to the biochemical signalling 
in living cells [3j. Such an analysis is inherently based on a discrete state view of the system with an 
underlying semantics which is generally a continuous time Markov chain (CTMC). In contrast, recently, 
process algebras have been used to study situations of collective dynamics in which a fluid approxima- 
tion of the discrete state space is used to arrive at a semantics in terms of sets of ordinary differential 
equations (ODEs) lTT0l[T6l . 

Hybrid behaviour arises in a variety of systems, both engineered and natural. Such systems com- 
bine elements of both the approaches outlined above as the system will undergo periods of continuous 
evolution, governed by ODEs, punctuated by discrete events which can alter the course of subsequent 
continuous evolution. Consider a thermostatically controlled heater. The continuous variable is air tem- 
perature, and the discrete events are the switching on and off of the heater by the thermostat in response 
to the air temperature ifTTIl . Another example would be a genetic regulatory network, such as the Re- 
pressilator [5, 6], in which genes can be switched on or off by interactions with their environment (more 
precisely, with transcription factor proteins). The behaviour of such systems can be regarded as a col- 
lection of sets of ODEs, the discrete events shifting the dynamic behaviour from the control of one set 
of ODEs to another. This is the approach taken with hybrid automata [9]. Given the previous success 
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of capturing discrete and continuous scenarios with process algebras in the past it is therefore natural to 
consider process algebras for hybrid settings. 



A number of process algebras for describing hybrid systems have appeared in recent years 11121 . 
substantially differing in the approaches taken relating to syntax, semantics, discontinuous behaviour, 
flow-determinism, theoretical results and availability of tools. However, they are all similar in their 
approach in that the dynamic behaviour of each subcomponent must be fully described with the ODEs 
for the subcomponent given explicitly in the syntax of the process algebra, before the model can be 
constructed. What distinguishes HYPE [7 ] is that it captures behaviour at a fine-grained level, composing 
distinct flows or influences which act on the continuous variables of the system. At a superficial level this 
removes the need to explicitly write ODEs in the process algebra syntax. Instead the dynamic behaviour 
emerges, via the semantics of the language, when these elements are composed. Moreover the use of 
flows as the basic elements of model construction has advantages such as ease and simplification of 
modelling. This approach assists the modeller in allowing them to identify smaller or local descriptions 
of the model and then to combine these descriptions to obtain the larger system. The explicit controller 
also helps to separate modelling concerns. 

In the original definition of HYPE, discrete actions are termed events and are always considered 
instantaneous although some are subject to an activation condition which will determine when that in- 
stantaneous jump occurs. Most events are conditioned on the values of continuous variables which are 
evolving in the system and will be triggered when the activation condition becomes true; such events 
are termed urgent. Many systems also respond to events which are not so tightly tied to the continuous 
evolution of the system and may appear to occur randomly. In the original definition of HYPE such 
actions were given an undefined activation condition, denoted _L and termed non-urgent. However if we 
wish to carry out quantified analysis of the constructed models such events may be regarded as under- 
specified since we capture no information about their potential firing. Thus here we seek to refine this 
notion of non-urgent events, by introducing stochastic actions. These actions will have an activation 
condition which is a random variable, capturing the probability distribution of the time until the event 
occurs. Thus these event still occur non-deterministicaily and are not directly linked to the values of 
continuous variables, but they are now quantified and so the models admit quantitative analysis. 

This small modification substantially enriches the class of underlying mathematical processes which 
capture the behaviour of systems modelled in HYPE. Previously we gave HYPE a semantics in terms of 
hybrid automata [9]. Now we give a semantics in terms of Piecewise Deterministic Markov Processes 
(PDMPs) [4 1, using the richer class of automata, Transition Driven Stochastic Hybrid Automata (TD- 
SHA) as an intermediary. Due to space constraints, in this paper we will only show how to associate a 
TDSHA for a given HYPE model. Mapping TDSHAs to PDMPs can be done along the lines of [2]. 

TDSHA have also been used in [1] to define a hybrid semantics for PEPA, a well-known stochastic 
process algebra [1 1J. That application of TDSHA is rather different from the one presented here. In H), 
we construct a hybrid system approximating the behaviour of the CTMC associated with a PEPA model 
by the standard semantics, using just continuous flows and stochastic events. HYPE, by contrast, is a 
process algebra expressly designed to model hybrid system, hence it deals with both instantaneous and 
stochastic events. 

The rest of this paper is organised as follows. In Section [2] we briefly recall the basic notions of 



HYPE by means of a running example, explaining how to extend it in the stochastic setting in Section 2. 1 
Sections[3]and|4]are devoted to recall the definition of TDSHA and to describe how to construct a TDSHA 
for a given HYPE model. Finally, Sections|5]and[6]discuss related work and draw final conclusions. 
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2 HYPE Definition 



In this section we recall the definition of non-stochastic HYPE by way of a running example. More 
details about the language can be found in (7J[8l. 

We consider an orbiter which travels around the earth and needs to regulate its temperature to remain 
within operational limits. It has insulation but needs to use a heater at low temperatures and at high 
temperatures it can erect a shade to reflect solar radiation and reduce temperature. Its HYPE model, is 
given in Table [T] The whole system is described by TempCtrl, and it is composed of two pieces: an 
uncontrolled system Sys and a controller Con, plus some additional information. 

HYPE modelling is centered around the notion of flow, which is some sort of influence continuously 
modifying one variable. Both the strength and form of a flow can be changed by events. In our example, 
we identify four flows affecting the temperature, modeled by the variable K. One is due to thermody- 
namic cooling, one is due to the heater, one is due to the heating effect of the sun and one is due to the 
cooling effect of the shade. 

Flows are described by the uncontrolled system, a composition of several sequential subcomponents, 
each modelling how a specific flow is changed by events. For instance, in Table [T] the subcomponent 
Heat describes the heating system, which reacts to the events turning it on and off (on and off) . The 
tuple (h,^, const) following event on, is called an activity or an influence and describes how the heater 
affects the temperature when it is working: h is the name of the influence, which provides a link to the 
target variable of the flow (K in our example), 77, is the strength of the influence and const is the influence 
type, identifying the functional form of the flow (which is specified separately by the interpretation 
[con*?] = 1). When the heater is turned off, the influence (h,rh, const) is replaced by (h,0, const), i.e. 
the influence strength of the heater becomes zero. The other subcomponents affecting temperature are 
Shade, Sun, and Cool(K), while Time keeps track of the flow of time. States of a HYPE model are 
collections of influences, one for each influence name, defining a set of ordinary differential equations 
describing the continuous evolution of the system. For instance, (h,^, const) contributes to the ODE of 
K with the addend ry,[c0/wf] = r/,. 

The controller Con, instead, is used to impose causality on events, either due to nature (such as the 
alternation of day and night) or by design. For instance, Con}, expresses the fact that the heater can be 
turned off only if it is on. Events happen when certain conditions are met by the system. These event 
conditions are specified by a function ec, assigning to each event a guard or activation condition (stating 
when a transition can fire) and a reset (specifying how variables are modified by the event). For example, 
ec(on) = (K < ki,true) states that the heater is turned on when the temperature falls below a threshold 
&2 and no variable is modified and gc( dark ) = (T = 24, T' = 0) states that the event dark happens after 
24 hours and resets the clock T to zero. Events in HYPE are urgent, meaning that they fire as soon as 
their guard becomes true. HYPE has also non-urgent events, whose guard is denoted by _L. They can 
happen after an unconstrained, non-deterministic time delay. 

A full HYPE model is given by (ConSys,y,IN,IT,£',£/,ec,iv,EC,ID), where ConSys is the con- 
trolled system, 'f is the set of continuous variables, $ is the set of events, EC is the set of event con- 
ditions, ec : $ — > EC associates event conditions to events, IN is a set of influence names, IT is a set of 
influence types, s/ is a set of possible influences, iv : IN — )■ "V maps influence names to variable names, 
and ID associates a real-valued function with each influence type. Formally, the semantics of HYPE is 
defined via structured operational semantics GHU, which is then interpreted in terms of hybrid automata. 
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TempCtrl = Sys [XI init. Con with M = {init, on, off, up , down , light , dark }. 
Sys = (((Heat W Srtade) M 5wn) W Cool(K)) M 77me 

y vvv {ink} ' {init} ' {ink} v /7 {inil.light.dark} 

//eatf = on: (ft, r;, , const) .Heat + off : (ft, 0, const) .Heat + init : (h,0, const). Heat 
Shade = up: (J,— r</, const). Shade + down: (d,0, const). Shade + 
init : (J, 0, const) .Shade 
Sun = light : (s, r t , const) .Sun + dark : (s, 0, const) .Sun + init : (s, 0, const) .Sun 
Cool(K) = init : (c,-ldinear(K)).Cool(K) 

Time = light : (7, 1 , const) . Time + dark : (?, 1 , const) .Time+ init : (7, \,const).Time 

Con = Cow/, IXI Co«rf tXlCo« < 
Co«/, = on.off.Cow/, Co«^ = up . down .Cow^ Co« s = light , dark . Cow, 

?v(?) = T j'v(/i) = /v((i) = iv(s) = iv{c) = K 

ec('mit) = (true,(K' = t AT' = 0)) 

gc (off) = (K >k\,true) gc(on) = (K<k2,true) 

ec( up ) = (K >ki,true) ec ( down ) = (K <k/[,true) 

ecQight) = (r = 12,?r M e) ec(dark) = (T = 24,T' = 0) 

Figure 1 : Orbiter model in HYPE. 



2.1 HYPE with stochastic events 

We now consider how the HYPE language can be enriched with stochastic transitions, namely events 
which are not triggered by particular values of system variables but according to a random variable, 
whose distribution may depend on system variables or may be independent. These transitions may 
be considered as a generalisation of the non-urgent transitions which were previously specified with 
the event condition _L. In the simplest case they will correspond to an event which occurs after an 
exponentially distributed delay with constant fixed rate. 

To illustrate the use of stochastic transitions we consider an extension of our previous orbiter exam- 
ple. We now suppose that as well as monitoring its own temperature in order to regulate it and maintain 
correct operation, the orbiter is also collecting temperature data. These data are periodically downloaded 
to earth. The instigation of the download comes from a control room on earth and is outside the control 
of the orbiter. This will be governed by an exponential distribution with a fixed, constant rate. Between 
downloads, data will accumulate deterministically at a constant rate. When a download is commenced 
its duration will depend on the amount of data which has currently accumulated and will thus be an 
exponential distribution with a fixed parameter which depends on a system variable. It is possible to also 
imagine a download rate which is dependent on the current temperature of the orbiter, which would be 
an exponential distribution with a variable rate. 

We assume that the system variable recording the amount of data currently stored on the orbiter is 
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D. The value of D is governed by two influences representing the accumulation and downloading of data 
respectively. These are 8\ = (dw, r, const) ;5q = (dw,0, const) respectively. Clearly both these correspond 
to a single influence name dw, with iv(dw) = D. 

The two events that modify the status of the influence dw are request and completed, and they are 
stochastic. We model this fact by assuming that their activation condition is a rate function, depending 
on the value of continuous variables, which is the parameter of the exponential distribution governing 
their firing time. Resets, instead, behave as for instantaneous transitions. Hence, 

ec (request) = (X r ,true) ec(completed) = I —,D' = ) . 

The form of the rate function for completed guarantees that its rate is X j\l when D = and goes mono- 
tonically to zero as D goes to infinity (i.e. expected time of the event is minimal when there is no data, 
and grows linearly with D). Here A/jU represents the maximum downloading speed (which is achieved 
when there is no data to collect), while /I controls the amount of data required to halve the download 
speed. 

Then, the full orbiter model is obtained by adding one more component to the uncontrolled system 
of previous section. 

Dwnldr = ink : 8i .Dwnldr + request : 8q. Dwnldr + completed : 5i .Dwnldr 

Furthermore, the downloading events are controlled by the following controller, synchronizing them with 
the rest of the system: 



tk) 



Condw = request.completed. Con^ 

Note how the compositionality of HYPE allows us to extend models in a simple and natural way. 

From a syntactic point of view, a stochastic HYPE model is described by a tuple (ConSys, y,IN,IT, 
<od,£' s ,£/,ec, iv,EC,ID) in a similar fashion to HYPE. The main difference with respect to non-stochastic 
HYPE is that events are separated into two disjoint sets, S^ and S s , the instantaneous and the stochastic 
events, respectively Furthermore, event conditions are different between instantaneous and stochastic 
events. From a semantic point of view, instead, the semantics of stochastic HYPE will be defined by 
associating a (Transition-Driven) Stochastic Hybrid Automaton to each HYPE model, as described in 
the next sections. We now give the formal definition of a stochastic HYPE model which consists of a 
controlled system together with the appropriate sets and functions. 

Definition 1 A stochastic HYPE model is a tuple (ConSys,Y,IN,IT,S' c i,S' s ,£/,ec,iv,EC,ID) where 

• ConSys is a controlled system as defined below. 

• V is a finite set of variables. 

• IN is a set of influence names and IT is a set of influence type names. 

• S'd is the set of instantaneous events of the form a and a t . 

• $ s is the set of stochastic events of the form a and a~j. 

• sfisa set of activities of the form a(W) = (l,r,I(W)) e(INxRx IT) where fCf. 



'Events a £ $& are indicated by underlined letters, while events a 6 S, \ are denoted by letter with a line above them. A 
generic event, either stochastic or instantaneous, is indicated with a e S = S s U &&. 
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• ec : $ — > EC maps events to event conditions. Event conditions are pairs of activation conditions 
and resets. Resets are formulae with free variables in YuY'. Activation conditions for instanta- 
neous events $& are formulas with free variables in "V and the second, while for stochastic events 
of <§ s , they are functions f : W ' — > M + . 

• iv : IN -^rV maps influence names to variable names. 

• EC is a set of event conditions. 

• ID is a collection of definitions consisting of a real-valued function for each influence type name 

[[/(#')]] = f(W) where the variables in W are from Y. 

• S, .$$ , IN and IT are pairwise disjoint. 

Definition 2 A controlled system is constructed as follows. 

• Subcomponents are defined by C S (W) = S, where C s is the subcomponent name and S satisfies the 
grammar S' ::= a : a.C s \ S' + S' (a £ <f = $& U S s , a € g/), with the free variables ofS in W. 

• Components are defined by C(W) = P, where C is the component name and P satisfies the gram- 
mar P' ::= C S {W) | C{W) | P' MP', with the free variables ofP in W andL<Z g. 

• An uncontrolled system Z is defined according to the grammar Yl ::= C S {W) \ C(W) \ Y! IX1Z', 
where L C <f andW Cf. 

• Controllers only have events: M ::= a.M \ | M + M with a G S 1 and L C <§ and Con ::= 
M I Con M Con. 

1 L 

• A controlled system is ConSys ::= £ ^ init .Con where LC,f. The set of controlled systems is 

Remark 1 All HYPE models that will be considered in the paper comply with the definition of well- 
defined HYPE models, given in /j^j/. Essentially, each subcomponent must be a self-looping agent of 
the form S = ^ i=1 a ! :cu,-.5' + /mf .CC.S, with each a, of the form (is,ri,Ij), where is is an influence name 
appearing only in subcomponent S. Furthermore, synchronization must involve all shared events. In 
the following, we will also assume that all events appearing in the uncontrolled system appear also in 
the controller. If an event a is not subject to any control (apart from its guard), then we always add a 
controller of the form Con = a. Con. 

3 Transition-driven Stochastic Hybrid Automata 

We now present Transition-Driven Stochastic Hybrid Automata, introduced in El. a formalization of 
stochastic hybrid automata putting emphasis on transitions, which can be either discrete (corresponding 
to instantaneous or stochastic jumps) or continuous (representing flows acting on system's variables). 
This formalism can be seen as an intermediate layer in defining the stochastic hybrid semantics of HYPE. 
In fact, TDSHA can be mapped to Piecewise Deterministic Markov Processes [4], so that their dynamics 
can be formally specified in terms of the latter. Due to space constraints, we will not provide a formal 
treatment of this construction, and refer the reader to [2] for further details. In this context, we will 
also consider a different notion of TDSHA-product, in which transitions can be synchronized on their 
labelling events. 

Definition 3 A Transition-Driven Stochastic Hybrid Automaton (TDSHA) is a tuple ST= (Q, X, S^€ , SF2) \ 
39" mit, S ), where 
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• Q is a finite set of control modes. 

• X = {X\ ,.. . ,X n } is a set of real valued system's variable^] 

• 2F$ is the set of continuous transitions or flows, whose elements x are triples (g T ,s T ,/ T ), where 
q% £ Q is a mode, s T is a vector of size |X|, and f z : M." — )■ R is a (sufficiently smooth) function. 

• EFQi is the set of instantaneous transitions, whose elements 8 are tuples of the form (<?i , gf > #5 > r 5 > 
wg,eg). The transition goes from mode qf to mode q^ and it is labeled by eg £ S. wg € M + is 
the weight of the edge, used to solve non-determinism among two or more active transitions. The 
guard gg is a first- order formula with free variables from X, representing the closed set Gg = 
{x G W | g[x]}, while the reset rg is a conjunction of formulae of the form X 1 = p(X), for some 
variables of the system. Variables not appearing in r are not modified, so that the formula true 
corresponds to the identity reset. 

• E?Sf is the set of stochastic transitions, whose elements t] are tuples of the form f] = (q^ ,q2,g-n,rr>, 
fn,en), where q\, q\, gn, e-q, and r^ are as for transitions in .^^, while f-q : R" — > M + is the rate 
function giving the instantaneous probability of taking transition TJ. We require transitions labeled 
by the same event to have consistent rates: ife™ = e^, then f^ { = f^ 2 . 

• S is a finite set of event names, labelling discrete transitions. £ can be partitioned into $d U S s , 
such that all events labelling instantaneous transitions belong to Sd, while all events labelling 
stochastic transitions are from <§ s . 

• init is a pair (g""',inp), with q m,t £ Q and inp a quantifier-free first order formula with free vari- 
ables in X, representing a point in W. init describes the initial state of the system. 

Dynamics of TDSHA. In order to formally define the dynamical evolution of TDSHA, we can map 
them into a well-studied model of Stochastic Hybrid Automata, namely Piecewise Deterministic Markov 
Processes [4J. We just sketch now some ideas about the dynamical behaviour of TDSHA. 

• Within each discrete mode q G Q, the system follows the solution of a set of ODE, constructed 
combining the effects of the continuous transitions T acting on mode q. The function /r(X) is 
multiplied by the vector s T to determine its effect on each variable and then all such functions are 
added together, so that the ODEs in mode q are X = £ T ?T=? s T • / T (X). 

• Two kinds of discrete jumps are possible. Stochastic transitions are fired according to their rate, 
similarly to standard Markovian Jump Processes. Instantaneous transitions, instead, are fired as 
soon as their guard becomes true. In both cases, the state of the system is reset according to 
the specified reset policyjj Choice among several active stochastic or instantaneous transitions is 
performed probabilistically proportionally to their rate or priority. 

• A trace of the system is therefore a sequence of instantaneous and random jumps interleaved by 
periods of continuous evolution. 

Product of TDSHA. We define now a notion of product of TDSHA which, differently from the one 
introduced in [2], allows also the synchronization of discrete transitions on specific events. In order to do 
this, we must take care of resets, requiring that synchronized transitions do not reset the same variable 
in different ways. Hence, we say that two transitions 5i , o\ (either both discrete or both stochastic) 



2 Notation: the time derivative of Xj is denoted by Xj, while the value of Xj after a change of mode is indicated by X'- 
Note that the formula r defines a function from R" into R", which will be also denoted throughout by r. 
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are reset-compatible if and only if e$ / e§ 2 or r§ 1 Ar^ / false. Two TDSHA are reset-compatible if 
and only if all their discrete or stochastic transitions are pairwise reset-compatible. A similar notion is 
required for the initial conditions: Two TDSHA are init-compatible if and only if, given initial conditions 
initi = (g™ ( ,inpj) and init2 = (q 2 u ,inp 2 ), then inpj Ainp 2 / false. 

Definition 4 Let ,% = (Q,-,X|, ^€^ 2?@)i, Sfcf i, init, , $[), i = 1 , 2 fwo reset-compatible and init-compatible 
TDSHA, and let SC^fl^&e ?/ie synchronization set. The S-product 3?= 3\® s Sh = (<2,X, S^£ ^ ^ 
2/5? mit, <f) « defined by 

1. Q = Q\* Qi; 

2. X = X 1 UX 2 ; 

3. & = &\ U ©2> 

4. init = (g m ",inp), where q' mt = (qf" ,q l 2 ") a?2 ^ i n P = i n Pi Ainp 2 . 

5. 77ie sef of continuous transitions in a mode q = (qi,q 2 ) contains all continuous transitions of q\ 
and all those of q 2 : 

^€ = {((q u q 2 ),S,f) | q x G Q u q 2 G Q 2 ,(q U S,f) G ^fiV(©,S,/) G ^? 2 } 

6. 77ie se^ of instantaneous transitions Sf'S) is the union of non-synchronized instantaneous transitions 
£T3>ns an d of synchronized ones SF3) 's, where 

^S>NS = [((?l,?2),(?i,?2)>S) r > w > e ) I 

(ft,^-,g,r,w,e) G &g>i/\qj = q'j G QjAi^jAegs}, 

and 

S?9 S = J {{q\,q 2 ), (q\,q' 2 ),gi Ag2,n Ar 2 ,mm{w h w 2 },e) | 

(q l ,q' 1 ,g l ,r l ,wi,e)e3^iA(q 2 ,q' 2 ,g2,r 2 ,w 2 ,e)G£rS> 2 AeGSy 

During synchronization, we apply a conservative policy by taking the conjunction of guards and 
resets, and by taking the minimum of weights. 

7. The set of stochastic transitions is defined similarly as 2%/ = ^S^ns U S^s, with 

^"ns = {((quq2),(q' v q 2 ),g,r,f,e) \ 

{qi,4i,g,r,f,e) G ^9 , i Aq j = 4 j G QjAi^jAe&s}, 
and 

^s = [((qi,q2),(q' v q' 2 ),giAg 2 ,riAr 2 ,f,e) I 

{q l ,q' l ,g l ,r u f,e)e^yiA{q 2 ,q' 2 ,g 2 ,r 2 J,e)e ^AeGsJ. 

In the synchronization of stochastic transitions, we use the fact that the rate is the same for all 
transitions labeled by the same event, as required by the consistency condition. 

4 Mapping HYPE to TDSHA 

The mapping from HYPE to TDSHA works compositionally, by associating a TDSHA with each single 
subcomponent and with each piece of the controller, then taking their synchronized product according 
to the synchronization sets of the HYPE system. Guards, rates, and resets of discrete edges will be 
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Figure 2: Schematic representation of the TDSHA £7{Dwnldr), associated with the download module 
of the Orbiter, (left) of the TDSHA Ji7{Con dw ) associated with the download controller (middle) and of 
their TDSHA product ^(Dwnldr) <g> L 3\Con dw ) (right). 

incorporated in the TDSHA of the controller, while continuous transitions will be extracted from the 
uncontrolled system. 

Consider a HYPE model (ConSys, y,IN,IT, £ d ,g s , a?,ec, iv,EC,ID) with ConSys ::=£!*] init. Con. 
Here £ is the uncontrolled system and Con is the controller. In the following, we will refer to the 
activation condition and the reset of an event a G $ by act(a) and res(a), respectively. 



TDSHA of the uncontrolled system. Consider a subcomponent S, having the form S = Y/t=i a r : a i-S + 
init: a. S. S is a self-looping agent which can react to events a,- modifying the state of the influence is, 
which is specific to S, see Remark[T] 

First of all, we need to collect all influences and events appearing in S. The set of influences is (5) 
of a subcomponent S is defined inductively by is(a:a.5') = {a} and is(5i + S2) = is(5i)Uis(52), while 
the set of events ev(S) of S is defined by ev(a:a.S) = {a} if a / init , ev(a:a.S) = otherwise, and 
ev(5i +S2) = ev(Si) Uev^). The set is(5) contains all the possible flows that can be generated by 
the influence with name i$. As only one of them can be active in each state of the system, we will 
introduce one mode for each element of is(S) in the TDSHA of S. Moreover, in each such mode, the only 
continuous transition will be the one that can be derived from the corresponding influence. As for discrete 
edges, observing that the flat structure of S is such that the response to all events is always enabled, we 
will have an outgoing transition for each event appearing in S in each mode of the associated TDSHA. 
The target state of the transition will be the mode corresponding to the influence following the event. 
Resets and guards will be set to true, as event conditions will be associated with the controller. Rates 
of transitions derived from stochastic events a € S s will be set to act (a), as required by the consistency 
condition of TDSHA. Finally, weights will be set to 1, while the initial mode will be deduced from the 
init event. 
Consider the subcomponent 

Dwnldr = init : 81 .Dwnldr + request : So. Dwnldr + completed : Si .Dwnldr 

describing the downloading module of the Orbiter system of Section [2] The TDSHA associated with it 
is visually depicted in Figure [2] (left). It has two modes, corresponding to the two different influences 
<5i = (dw, r, const) and So = (dw,0, const), and two edges, labeled by request, completed. The initial state 
is the mode corresponding to Si . 
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We collect now such considerations into a formal definition. 

Definition 5 Let S = J^Lj a; : OCi.S + init:oc.S be a subcomponent of the HYPE model (ConSys, "V ,IN,IT, 
£ d ,£ s ,*/,ec,iv t EC,ID). The TDSHA 

&(S) = (Q,X, STtf , &3i, 5^, init, S) associated with S is defined by 

1. Q = {q a | « € is(5)}; X = Y; S= <%U S s ; 

2. init = (q a ,true), where S = inif .Oi.S + S'; 

3. S^€ = {(q a ,l iv n s \,r- [/J) | a = (is,r,I) G is(S)}, where l,v(; x ) w ^ vector equal to 1 for the 
component corresponding to variable iv(i$) and zero elsewhere; 

4. 2?3) = {(q ai ,q a2 ,\,true,true,a) \ a G ev(S) D i d A ttl € is(5) AS = a:a 2 .S + S'} 

5. 35? = {(q ai ,q a2 ,true,true,act(a),a) \ a G ev(S) Hi s AOC\ G \s(S) A 5 = a:a 2 .S + S'} 

Once we have the TDSHA of all subcomponents, we can build the TDSHA of the full uncontrolled 
system by applying the product construction of TDSHA. We capture this in the following definition. 

Definition 6 

1. Let P = Pi XI P 2 be a component. Its TDSHA is defined recursively by 3\P X X!P 2 ) = S[P\) <8>z 

snpt). 

2. LetY. = Ei XI £ 2 be an uncontrolled system. Its TDSHA is defined recursively by 3^L\ X£ 2 ) = 
^Ei)® L ^E 2 ). 



TDSHA of the controller. Dealing with the controller is simpler, as controllers are essentially finite 
state automata which impose causality on the happening of events. As anticipated at the beginning of the 
section, event conditions will be assigned to edges of TDSHA associated with controllers. Controllers 
are defined by the two level syntax M = a.M | M + M and Con = M \ Con X Con, hence sequential 
controllers are composed in parallel and synchronized on sets of actions. As for the uncontrolled system, 
we will first define the TDSHA of sequential controllers, and then combine them with the TDSHA 
product construction. Note that all events will be properly dealt with through this construction, as they 
all appear in the controller, see Remark [T] 

Consider a sequential controller M = £,a,-.M r -. The derivative set of M is defined recursively by 
ds(M) = {M} U\J i ds(M i ), where two summations coincide if they are equal up to permutation of ad- 
dends. 

Definition 7 Let (ConSys, Y ',IN ,IT ',$ d ,$ s ,s$ ,ec,iv,EC,ID) be a HYPE model with sequential con- 
troller M. Then 27(M) = (Q,X, 3N> , &@, StS? , init, S), the TDSHA associated with M, is defined by 

1. Q = {qw I M' G ds(M)}; X = y;g=£ d U S s ; 

2. init = (qM, res ( init )), where res( init ) is the reset associated with the init event. 

3. ,T€ = 0; 

4. S^& = {(qM l ,qM 2 ,^^ct(a),res(a),a) | Mi = a.M 2 , Mi,M 2 e ds(M), a G S d , ec(a) = (act(a), 
res(a))}; 

5. ^y = {(qM l ,qM 1 ,true,res(jf),act(la),a) \ Mi = a.M 2 , M\,M 2 G ds(M), a S ^ s , ecia) = (act (a), 
res (a))}, where act (a) : M) ' — > M + is the rate of the transition; 

Definition8 Let Con = Coni ^Con 2 be a controller. The TDSHA of Con is defined recursively as 
,9(Con) = 3?(Con{)®L 3\Con 2 ). 
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Figure 3: Sampled trajectory of the accumulated data of the extended orbiter model of Section 2. 1 Data 
increases during accumulation phases, and remains constant during downloads. It is erased right after 
the download finished. Rate values, fixed just for illustrative purposes, are r = 1.0, A,- = 0.04, A = 0.5, 
IX = 10.0. 

The product construction of Definitions [6] and [8] can be carried on because the factors TDSHA are 
reset-compatible and init-compatible. This is trivial both for the uncontrolled system (all resets are true) 
and for the controller (resets for the same event are equal). Furthermore, stochastic transitions have 
consistent rates, as their rate depends only on the labelling event. 

Consider the controller of the download module of the orbiter; its TDSHA is depicted in Figure [2] 
(middle), omitting the explicit representation of rates and resets. 



TDSHA of the HYPE model. Once we have built the TDSHA of the controller and of the uncontrolled 
system, we simply have to take their product. 

Definition 9 Let (ConSys,1 / ,IN ,IT \$ c ,$ s ,stf \ec,iv,EC,ID) be a HYPE model, with controlled system 
ConSys = £ ^inti. Con. The TDSHA associated with j$ is 



*(. 



&(L) ® L 2?{Con) 



Example 1 In Figureu\(right) we show the product .^[Dwnldr) (8>i ^Con^w), L = {request, completed], 
in order to give an idea of the product construction. In Figure |J] instead, we show a trajectory of the 
variable D, describing the amount of data collected. As we can see, periods in which the data is col- 
lected (linearly), are interleaved by downloads, in which data is not accumulated. Once the download 
has finished, D is set back to zero. Both the download time and the periods between two consecutive 
downloads are randomly distributed. 

As already evident from the previous example, the construction we have defined actually generates 
TDSHA with many unreachable states. This is a consequence of the fact that sequentiality and causality 
on actions is imposed just on the final step, when the controller is synchronized with the uncontrolled 
system. Once the TDSHA is constructed, however, it can be pruned by removing unreachable states (the 
TDSHA of Figure [2] (right) has indeed just two reachable states from the initial one). In order to limit 
combinatorial explosion, one can prune TDSHAs at each intermediate stage. A formal definition of this 
policy, however, would have made the mapping from HYPE to TDSHA much more complex. 



Orbiter revisited. We consider now a more complex version of the orbiter, in which the download 
time depends also on the current temperature. The operational speed of the download can be reduced 
linearly down to zero if the temperature is too high or too low. In order to implement such a modification, 
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we simply have to modify the rate function in the event condition of event completed, replacing it with a 
suitable function of accumulated data and temperature. A sampled trajectory is shown in Figure [4] (left), 
while in Figure [4] (right) we show how the firing time of completed depends on temperature. 



Constant Rals 
— - Temperature Dependent Rate 



Ul/TM/Wtfl 



150 £00 



Figure 4: (left) Sampled trajectory of the accumulated data of the extended orbiter model of Section 2. 1 



with download rate depending on temperature. The rate is maximal, and equal to —^ when temperature 
is in the operational regime, in this example, when 275 < K < 325. When the temperature is lower than 
275 (higher than 325), the download rate linearly decreases to 0, reaching it when K = 225 (K = 350). 
Rate values, for the downloader are r = 1.0, X r = 0.1, A = 1.0, \i = 10.0. Rates and parameters for the 
temperature control mechanism are //, = 200, r c i = 100, r s = 400, k\ = &2 = 250, k^ = k.4 = 300. The 
download time becomes longer with respect to Figure [3] as the temperature falls repeatedly below the 
operational regime, (right) Plot of the downloading rate when it is constant (green) or when it depends 
on temperature (red). In the latter case, the rate is periodically reduced to zero, as temperature falls below 
225. The shadowed region indicates, in both plots, the interval of temperatures in which the download 
has maximum speed. 



5 Related Work 



The modelling approach of HYPE, based on the composition of individual flows, makes it different 
from other hybrid process algebras [12] and from hybrid automata [9]. In these other approaches the 
continuous dynamics is specified by embedding ODEs within the syntactic description of models, while 
in HYPE, ODEs emerge as a combination of active flows. A more detailed comparison between HYPE 
and other hybrid modelling formalisms can be found in [7, 8]. 

As far as stochastic hybrid systems are concerned, there has been previous work aimed at making 
modelling compositional. In [13], Strubbe et al. introduce Communicating Piecewise Deterministic 
Markov Processes (CPDP). This is an automata based formalism which models a system as interacting 
automata. Their chosen level of abstraction is somewhat lower level than ours, comparable with TDSHA. 
In CPDP, as in HYPE, instantaneous transitions may be triggered either by conditions of the continuous 
variables (boundary-hit transitions) or by the expiration of a stochastic determined delay (Markov tran- 
sitions). Interaction between automata is based on one-way synchronisation: in each interaction one 
partner is active while the other is passive. In HYPE, instead, all components may be regarded as active 
with respect to each transition in which they participate, as activation conditions are specified uniquely 
in the model. Components participating in a discrete transition are determined by the construction of the 
HYPE model, where the synchronisation set L in 1X1 specifies which actions must be shared. 

The synchronization mechanics of CPDP has been extended in [ 14], introducing an operator which 
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exploits all possible interactions of active and passive actions. In [ 15] the authors define a notion of 
bisimulation for both PDMPs and CPDPs and show that if CPDPs are bisimilar then they give rise to 
bisimilar PDMPs. Furthermore the equivalence relation is a congruence with respect to the composition 
operator of CPDPs. 

6 Conclusions 

In this paper we extended the hybrid process algebra HYPE, allowing events to fire at (exponentially 
distributed) random times. Although from a syntactic point of view the modifications with respect to 
the original version of HYPE are minimal (non-urgent events become stochastic by replacing their ac- 
tivation condition _L with a functional rate), the semantics of the language is considerably enriched. 
The stochastic hybrid systems obtained from HYPE models fall in the class of Piecewise Deterministic 
Markov Processes. In the paper, we concentrated on showing how such a semantics can be defined. We 
used an intermediate formalism, namely Transition-Driven Stochastic Hybrid Automata, which can then 
be mapped to PDMPs. The way we defined the semantics in terms of TDSHA is quite different from 
the original definition of EIH, in which a hybrid automaton is extracted from the labeled transition sys- 
tem of a HYPE model, defined according to a suitable operational semantics. Here, instead, we directly 
manipulate the model at the syntactic level. 

The mapping from TDSHA to PDMP is quite straightforward, except in one point: One has to 
check that the HYPE model is well-behaved, meaning that it is not possible that an infinite sequence of 
instantaneous transitions fires in the same time instant. Unfortunately, checking this property in general 
is undecidable, hence in [8] we put forward a set of decidable but stricter conditions on HYPE models, 
that guarantee that a model is well-behaved and that are usually satisfied in practical cases. 

As the syntax of HYPE is basically unchanged, all the results of [7 , 8 ] depending on syntactic features 
still hold. In particular, the notion of bisimulation of HYPE models extends untouched in this new setting. 
As a future investigation, we plan to compare this bisimulation relation with other bisimulations designed 
for PDMPs HH. 

In the current version of HYPE, stochasticity has been introduced just in terms of random occurrence 
in the time of events. It is often useful to have stochasticity also in resets. This would allow the quanti- 
tative modelling of uncertainty in the outcome of certain actions. Such an extension can be done along 
the lines of the current paper, even if it requires a modification of the definition of TDSHA, allowing 
stochastic resets. However, the class of target stochastic processes remains that of PDMP. 

Future work includes also the implementation of an efficient simulator for (stochastic) HYPE. More- 
over, we will model specific case studies, to prove its effectiveness as a hybrid modelling language. 
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